I want to build an openssl-fips canister to force IANA cipher suite compliance.
With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. IANA OpenSSL TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 [0x2f] AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x3c] AES128-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x3d] AES256-SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9d] AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x67] DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x6b] DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9f] DHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc023] ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 [0xc02b] ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc024] ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 [0xc02c] ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc027] ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 [0xc02f] ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc028] ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 [0xc030] ECDHE-RSA-AES256-GCM-SHA384 How would I configure openssl-fips to force this precise compliance, eliminating all other cipher suites? Thank you. --Larry C++ Developer
